Addition(s) to LCOS 9.10 / Configurable one-time password (OTP) for SCEP-CA
Parent topic: Configurable one-time password (OTP) for SCEP-CA

Configuring challenge passwords

In LANconfig, you configure the certificate parameters under Certificates > Certificate handling in the section Certificate issuing.





Validity period
Here you specify the validity period of the certificate in days.
General challenge password
An additional "Password" can be entered here, which is transmitted to the CA. This can be used by default to authenticate revocation requests. If CAs operate Microsoft-SCEP (mscep), the one-time passwords issued by the CA can be entered here for the authentication of requests.

The Challenge table contains the certificate recipients' (clients') own passwords.





Distinguished name
The "Distinguished name" must be entered here. With this parameter the CAs are assigned to system certificates (and vice versa) on the one hand. On the other hand this parameter is also important for evaluating whether received or available certificates match with the configuration. Separated by commas or forward slashes, this is a list where the name, department, state and country can be specified for the gateway. The following are examples of how an entry might appear: CN=myCACN, DC=mscep, DC=ca, C=DE, ST=berlin, O=myOrg /CN=LANCOM CA/O=LANCOM SYSTEMS/C=DE
MAC address
Enter the MAC address of the client whose password is to be managed by the challenge-password table.
Challenge
Enter the challenge (password) for the client here.
Validity
Enter the validity period of the password here. By selecting "one-time" the password becomes a one-time password (OTP) so that, for example, it can only be used for authentication once.

Under CA encryption you configure the security parameters for the CA encryption.





Encryption algorithm
The encryption algorithm is specified here as used by the SCEP protocol. Both the certification authority (CA) and the certificate holder (client) must support the algorithm. The following methods are available:
  • DES
  • 3DES
  • BLOWFISH
  • AES128
  • DES192
  • DES256
Signature algorithm
Here you select the signature algorithm used by the Certificate Authority (CA) to sign the certificate. This method must be supported by the CA and the certificate recipient (client) as the client uses this signature to check the integrity of the certificate. The following cryptographic hash functions are available for selection:
  • MD5
  • SHA1
  • SHA2-256
  • SHA2-384
  • SHA2-512
Fingerprint algorithm
Here you select the fingerprint algorithm that the Certificate Authority (CA) uses to calculate the signature's fingerprint. Both the CA and the certificate recipient (client) must support the method. The fingerprint is a hash value of data (key, certificate, etc.), i.e. a short number string that can be used to check the integrity of the data. The following cryptographic hash functions are available for selection:
  • MD5
  • SHA1
  • SHA2-256
  • SHA2-384
  • SHA2-512
Parent topic: Configurable one-time password (OTP) for SCEP-CA
© LANCOM Systems. All rights reserved.